The Cost of Email Fraud

Allison Howen

Posted on 6.23.2016

New Return Path data is shedding light on email fraud, revealing that subscribers are less likely to trust a brand following a phishing attack, with read rates dropping by up to 18 percentage points on Gmail and 11 percentage points on Yahoo.

What’s more, the data shows that phishing attacks have direct costs, with the average large company (defined as 10,000-plus employees) spending $3.7 million annually to recover from phishing attacks. This number includes lost productivity, customer service and regulatory fines. Plus, after a phishing attack, mailbox providers are more likely to flag legitimate email as spam. This results in average inbox placement rates dropping by up to 10 percentage points at Gmail and 7 percentage points at Yahoo.

“The immediate cost of phishing is staggering, but the bigger impact comes from loss of trust,” said Estelle Derouet, VP marketing, email fraud protection at Return Path. “If your brand reputation is damaged by email fraud, customers won’t open your emails and mailbox providers may not deliver your messages to the inbox. When that happens, you’ve lost a revenue opportunity – both now and in the future.”

Despite all of the data showing how costly phishing attacks can be, not many brands are taking steps to fight back. In fact, Return Path’s data found that 81 percent of marketers would be concerned or very concerned if customers receive a malicious email that appeared to come from their brand. That said, only 32 percent of marketers say that securing email is a top priority in 2016, while 76 percent say they have little to no visibility into email attacks on their brands.

It is important to note, however, that mailbox providers are taking steps to fight fraud. Google, for instance, flags emails that fail authentication by replacing the company avatars with a red question mark, while Microsoft inserts a red safety notification at the top of known phishing messages and other messages that fail authentication.

“When it comes to phishing, email authentication standards like SPF, DKIM, and DMARC are no longer optional. They are essential best practices for ensuring that legitimate email won’t be treated like spam," added Derouet. "Any company not proactively securing their email channel today risks losing not only priceless brand loyalty but also marketing-generated revenue."